策略验证支持wannat

2021-01-28 18:42:19 +08:00
parent 1a0cadafeb
commit c900e0ab28
8 changed files with 105 additions and 31 deletions
--- a/common/include/verify_policy.h
+++ b/common/include/verify_policy.h
@@ -17,10 +17,17 @@ enum verify_policy_type
 {
    PXY_TABLE_SECURITY,
    PXY_TABLE_MANIPULATION,
+    PXY_TABLE_WANNAT,
    PXY_TABLE_DEFENCE,
    __SCAN_POLICY_MAX
 };

+enum common_scan_table
+{
+    PXY_COMMON_SOURCE_ADDR,
+    PXY_COMMON_DESTINATION_ADDR
+};
+
 enum manipulate_sacn_table
 {
    PXY_CTRL_SOURCE_ADDR,
@@ -76,6 +83,14 @@ enum security_scan_table
 	__SECURITY_TABLE_MAX
 };

+enum wannat_scan_table
+{
+    PXY_WANNAT_SOURCE_ADDR,
+    PXY_WANNAT_DESTINATION_ADDR,
+	__WANNAT_TABLE_MAX
+};
+
+
 enum http_ev_bit_number
 {
 	IP_BITNUM = 0,
@@ -160,6 +175,8 @@ void http_get_scan_status(struct verify_policy_query_obj *query_obj, int type, c

 int security_policy_init(struct verify_policy * verify, const char* profile_path);

+int wannat_policy_init(struct verify_policy * verify, const char* profile_path);
+
 int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme);

 #endif
--- a/conf/verify_policy.conf
+++ b/conf/verify_policy.conf
@@ -20,6 +20,7 @@ thread-nu = 4
 maat_input_mode=1
 table_info=./resource/table_info_proxy.conf
 table_info_tsg=./resource/table_info_security.conf
+table_info_wannat=./resource/table_info_wannat.conf
 json_cfg_file=./resource/pangu_http.json
 stat_file=logs/verify-policy.status
 full_cfg_dir=verify-policy/
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -6,7 +6,7 @@ add_executable(verify-policy src/verify_policy.cpp)

 #target_include_directories(verify-policy PUBLIC ${CMAKE_CURRENT_LIST_DIR}/include)

-target_link_libraries(verify-policy common pangu-http)
+target_link_libraries(verify-policy common policy_scan)
 target_link_libraries(verify-policy pthread dl
 		libevent-static
 		MESA_handle_logger
--- a/platform/src/verify_policy.cpp
+++ b/platform/src/verify_policy.cpp
@@ -73,6 +73,7 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)
 	const char * policy_name[__SCAN_POLICY_MAX];
 	policy_name[PXY_TABLE_SECURITY] = "tsg_security";
 	policy_name[PXY_TABLE_MANIPULATION] = "pxy_manipulation";
+	policy_name[PXY_TABLE_WANNAT] = "pxy_wannat";
 	policy_name[PXY_TABLE_DEFENCE] = "active_defence";

 	size_t i = 0;
@@ -88,8 +89,8 @@ enum verify_policy_type tsg_policy_type_str2idx(const char *action_str)

 int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_str, char *buff, char **p)
 {
+	size_t scan_table_max=0;
 	const char * table_name[__SECURITY_TABLE_MAX] ={0};
-	size_t max = type != PXY_TABLE_MANIPULATION ? (int)PXY_SECURITY_FTP_ACCOUNT : (int)PXY_CTRL_DOH_HOST;

 	switch(type)
 	{
@@ -106,6 +107,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
 			table_name[PXY_CTRL_APP_ID] = "TSG_OBJ_APP_ID";
 			table_name[PXY_CTRL_DOH_QNAME]="TSG_FIELD_DOH_QNAME";
 			table_name[PXY_CTRL_DOH_HOST]="TSG_FIELD_DOH_HOST";
+			scan_table_max = PXY_CTRL_DOH_HOST;
 			break;
 		case PXY_TABLE_SECURITY:
 			table_name[PXY_SECURITY_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR";
@@ -117,6 +119,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
 			table_name[PXY_SECURITY_HTTP_RES_HDR] = "TSG_FIELD_HTTP_RES_HDR";
 			table_name[PXY_SECURITY_HTTP_RES_BODY] = "TSG_FIELD_HTTP_RES_CONTENT";
 			table_name[PXY_SECURITY_SUBSCRIBE_ID] = "TSG_OBJ_SUBSCRIBER_ID";
+			table_name[PXY_SECURITY_APP_ID] = "TSG_OBJ_APP_ID";
 			table_name[PXY_SECURITY_HTTPS_SNI] = "TSG_FIELD_SSL_SNI";
 			table_name[PXY_SECURITY_HTTPS_CN] = "TSG_FIELD_SSL_CN";
 			table_name[PXY_SECURITY_HTTPS_SAN] = "TSG_FIELD_SSL_SAN";
@@ -132,7 +135,12 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
 			table_name[PXY_SECURITY_FTP_URI] = "TSG_FIELD_FTP_URI";
 			table_name[PXY_SECURITY_FTP_CONTENT] = "TSG_FIELD_FTP_CONTENT";
 			table_name[PXY_SECURITY_FTP_ACCOUNT] = "TSG_FIELD_FTP_ACCOUNT";
-			table_name[PXY_SECURITY_APP_ID] = "TSG_OBJ_APP_ID";
+			scan_table_max = PXY_SECURITY_FTP_ACCOUNT;
+			break;
+		case PXY_TABLE_WANNAT:
+			table_name[PXY_WANNAT_SOURCE_ADDR]="TSG_SECURITY_SOURCE_ADDR";
+			table_name[PXY_WANNAT_DESTINATION_ADDR]="TSG_SECURITY_DESTINATION_ADDR";
+			scan_table_max = PXY_WANNAT_DESTINATION_ADDR;
 			break;
 		case PXY_TABLE_DEFENCE:
 			break;
@@ -140,7 +148,7 @@ int protoco_field_type_str2idx(enum verify_policy_type type, const char *action_
 			break;
 	}
 	size_t i = 0;
-	for (i = 0; i <= max; i++)
+	for (i = 0; i <= scan_table_max; i++)
 	{
 		if (0 == strcasecmp(action_str, table_name[i]))
 			break;
@@ -878,6 +886,9 @@ int main(int argc, char * argv[])
 	ret = proxy_policy_init(g_verify_proxy, main_profile);
 	CHECK_OR_EXIT(ret == 0, "Failed at init panggu module, Exit.");

+	ret = wannat_policy_init(g_verify_proxy, main_profile);
+	CHECK_OR_EXIT(ret == 0, "Failed at init wannat module, Exit.");
+
 	clock_gettime(CLOCK_REALTIME, &(end_time));
 	mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Read table_info_proxy.conf, take time %lu(s)", end_time.tv_sec - start_time.tv_sec);
 	printf("Read table_info_proxy.conf, take time %lu(s)\n", end_time.tv_sec - start_time.tv_sec);
--- a/resource/table_info_wannat.conf
+++ b/resource/table_info_wannat.conf
@@ -0,0 +1,17 @@
+#each collumn seperate with '\t'
+#id	(0~65535)
+#name string
+#type one of ip,expr,expr_plus,digest,intval,compile or plugin
+#src_charset one of GBK,BIG5,UNICODE,UTF8
+#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/'
+#do_merege yes or no
+#cross cache 0~max
+#quickswitch quickon or quick off
+#id	name			type	src_charset	dst_charset	do_merge cross_cache quickswitch
+0	WANNAT_COMPILE	compile escape  --
+1	GROUP_COMPILE_RELATION	group2compile   --
+2	GROUP_GROUP_RELATION	group2group     --
+3	TSG_OBJ_IP_ADDR ip_plus --
+4	TSG_SECURITY_SOURCE_ADDR	virtual	TSG_OBJ_IP_ADDR --
+5	TSG_SECURITY_DESTINATION_ADDR   virtual TSG_OBJ_IP_ADDR --
+6	TSG_SECURITY_ADDR	composition	{"source":"TSG_SECURITY_SOURCE_ADDR","destination":"TSG_SECURITY_DESTINATION_ADDR"}
--- a/scan/CMakeLists.txt
+++ b/scan/CMakeLists.txt
@@ -1,6 +1,6 @@
-add_library(pangu-http src/pangu_http.cpp)
-target_include_directories(pangu-http PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce)
-target_link_libraries(pangu-http PUBLIC common pthread cjson maatframe) 
+add_library(policy_scan src/policy_scan.cpp)
+target_include_directories(policy_scan PUBLIC ${CMAKE_CURRENT_LIST_DIR}/incluce)
+target_link_libraries(policy_scan PUBLIC common pthread cjson maatframe) 



--- a/scan/include/policy_scan.h
+++ b/scan/include/policy_scan.h
@@ -1,5 +1,5 @@
 /*************************************************************************
-	> File Name: panggu_http.h
+	> File Name: policy_scan.h
 	> Author:
 	> Mail:
 	> Created Time: 2019年08月26日 星期一 19时30分49秒
--- a/scan/src/policy_scan.cpp
+++ b/scan/src/policy_scan.cpp
@@ -1,5 +1,5 @@
 /*************************************************************************
-	> File Name: pangu_http.cpp
+	> File Name: policy_scan.cpp
 	> Author:
 	> Mail:
 	> Created Time: 2019年08月23日 星期五 16时53分25秒
@@ -24,27 +24,27 @@

 #define	MAX_SCAN_RESULT				16

-enum pangu_action //Bigger action number is prior.
+enum pangu_action
 {
 	PG_ACTION_NONE = 0x00,
 	PG_ACTION_MONIT = 0x01,
-	PG_ACTION_FORWARD = 0x02,    /* N/A */
+	PG_ACTION_INTERCEPT = 0x02,    /* N/A */
+	PG_ACTION_ACTIVE_DEFENCE = 0x04,
+	PG_ACTION_WANNAT = 0x08,
 	PG_ACTION_REJECT = 0x10,
-	PG_ACTION_DROP = 0x20,    /* N/A */
 	PG_ACTION_MANIPULATE = 0x30,
-	PG_ACTION_RATELIMIT = 0x40,    /* N/A */
-	PG_ACTION_LOOP = 0x60,    /* N/A */
+	PG_ACTION_INLINE_DEVICE = 0x60,
 	PG_ACTION_WHITELIST = 0x80,
 	__PG_ACTION_MAX
 };

-enum tfe_http_std_field
+enum http_std_field
 {
-	TFE_HTTP_UNKNOWN_FIELD = 0,
-	TFE_HTTP_USER_AGENT,
-	TFE_HTTP_COOKIE,
-	TFE_HTTP_SET_COOKIE,
-	TFE_HTTP_CONT_TYPE,
+	HTTP_UNKNOWN_FIELD = 0,
+	HTTP_USER_AGENT,
+	HTTP_COOKIE,
+	HTTP_SET_COOKIE,
+	HTTP_CONT_TYPE,
 };

 enum verify_profile_table
@@ -77,7 +77,7 @@ struct ip_data_table
 struct http_field_name
 {
 	const char * field_name;
-	enum tfe_http_std_field field_id;
+	enum http_std_field field_id;
 };

 struct ip_data_ctx
@@ -176,9 +176,10 @@ void __pangu_action_weight_init()
 {
 	pangu_action_weight[PG_ACTION_NONE] = 0;
 	pangu_action_weight[PG_ACTION_MONIT] = 1;
-	pangu_action_weight[PG_ACTION_MANIPULATE] = 2;
-	pangu_action_weight[PG_ACTION_REJECT] = 3;
-	pangu_action_weight[PG_ACTION_WHITELIST] = 4;
+	pangu_action_weight[PG_ACTION_INTERCEPT] = 2;
+	pangu_action_weight[PG_ACTION_MANIPULATE] = 3;
+	pangu_action_weight[PG_ACTION_REJECT] = 4;
+	pangu_action_weight[PG_ACTION_WHITELIST] = 5;
 }

 static inline int action_cmp(enum pangu_action a1, enum pangu_action a2)
@@ -716,10 +717,9 @@ int http_hit_policy_match(int result_config[], int cnt, int config)
 int http_hit_policy_list(enum verify_policy_type policy_type, size_t hit_cnt, cJSON *data_obj, void *pme)
 {
 	bool succeeded = false;
-	size_t rules=0, i=0, j = 0;
+	size_t rules=0, i=0;
 	int result_config[MAX_SCAN_RESULT] = {0};

-	Maat_feather_t maat = g_pangu_rt->maat[policy_type];
 	struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;

 	hit_cnt = ctx->hit_cnt;
@@ -993,11 +993,11 @@ size_t verify_policy_scan(enum verify_policy_type policy_type, struct verify_pol
 	int scan_ret=0, n_read;
 	//size_t hit_cnt=0;

-	struct http_field_name req_fields[]={	{"User-Agent", TFE_HTTP_USER_AGENT},
-									        {"Cookie", TFE_HTTP_COOKIE}};
+	struct http_field_name req_fields[]={	{"User-Agent", HTTP_USER_AGENT},
+									        {"Cookie", HTTP_COOKIE}};

-	struct http_field_name resp_fields[]={	{"Set-Cookie", TFE_HTTP_SET_COOKIE},
-											{"Content-Type", TFE_HTTP_CONT_TYPE}};
+	struct http_field_name resp_fields[]={	{"Set-Cookie", HTTP_SET_COOKIE},
+											{"Content-Type", HTTP_CONT_TYPE}};

 	struct pangu_http_ctx * ctx = (struct pangu_http_ctx *) pme;
 	size_t hit_cnt = ctx->hit_cnt;
@@ -1005,7 +1005,7 @@ size_t verify_policy_scan(enum verify_policy_type policy_type, struct verify_pol
 	int protocol_field = query_obj->protocol_field;
 	const char *value = query_obj->keyword;

-	if ((protocol_field == PXY_CTRL_SOURCE_ADDR || protocol_field == PXY_CTRL_DESTINATION_ADDR) && query_obj->ip_addr != NULL)
+	if ((protocol_field == PXY_COMMON_SOURCE_ADDR || protocol_field == PXY_COMMON_DESTINATION_ADDR) && query_obj->ip_addr != NULL)
 	{
 		struct ip_address dest_ip, source_ip;
 		verify_ip_addr_to_address(query_obj->ip_addr, &dest_ip, &source_ip);
@@ -1250,6 +1250,34 @@ void subscribe_id_dup_cb(int table_id, MAAT_PLUGIN_EX_DATA* to, MAAT_PLUGIN_EX_D
 	return;
 }

+int wannat_policy_init(struct verify_policy * verify, const char* profile_path)
+{
+	int ret = -1;
+
+	g_pangu_rt->maat[PXY_TABLE_WANNAT] = create_maat_feather("static", profile_path, "MAAT", "table_info_wannat", g_pangu_rt->thread_num, g_pangu_rt->local_logger);
+	if (!g_pangu_rt->maat[PXY_TABLE_WANNAT])
+	{
+		goto error_out;
+	}
+	const char * table_name[__WANNAT_TABLE_MAX];
+	table_name[PXY_WANNAT_SOURCE_ADDR] = "TSG_SECURITY_SOURCE_ADDR";
+	table_name[PXY_WANNAT_DESTINATION_ADDR] = "TSG_SECURITY_DESTINATION_ADDR";
+
+	for (int i = 0; i < __WANNAT_TABLE_MAX; i++)
+	{
+		g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i] = Maat_table_register(g_pangu_rt->maat[PXY_TABLE_WANNAT], table_name[i]);
+		if (g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i] < 0)
+		{
+			mesa_runtime_log(RLOG_LV_FATAL, MODULE_NAME, "Wannat policy maat table %s register failed.", table_name[i]);
+			goto error_out;
+		}
+		mesa_runtime_log(RLOG_LV_DEBUG, MODULE_NAME, "Wannat policy register maat %p, table name %s, table id %d", g_pangu_rt->maat[PXY_TABLE_WANNAT], table_name[i], g_pangu_rt->scan_table_id[PXY_TABLE_WANNAT][i]);
+	}
+	ret = 0;
+error_out:
+	return ret;
+}
+
 int proxy_policy_init(struct verify_policy * verify, const char* profile_path)
 {
 	int ret = -1;